Using Secret Key to Foil an Eavesdropper

PAUL CUFFELECTRICAL ENGINEERING

PRINCETON UNIVERSITY

Using Secret Keyto Foil an Eavesdropper

Main Idea

Secrecy for distributed systems

Historic Cryptography Results New Metric for Secrecy

Node A

Node BMessageInformation

Action

Adversary

Distributed System

Attack

Cipher

Plaintext: Source of information: Example: English text: Allerton Conference

Ciphertext: Encrypted sequence: Example: Non-sense text: cu@sp4isit

Encipherer

Decipherer

Ciphertext

Key Key

Plaintext Plaintext

Example: Substitution Cipher

Alphabet A B C D E …

Mixed Alphabet F Q S A R …

Simple Substitution

Example: Plaintext: …RANDOMLY GENERATE A CODEB… Ciphertext: …DFLAUIPV WRLRDFNR F SXARQ…

Caesar Cipher

Alphabet A B C D E …

Mixed Alphabet D E F G H …

Shannon Model

Schematic

Assumption Enemy knows everything about the system except the

keyRequirement

The decipherer accurately reconstructs the information

Encipherer

Decipherer

Ciphertext

Key Key

Plaintext Plaintext

Adversary

C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.

For simple substitution:

Shannon Analysis

Perfect Secrecy Adversary learns nothing about the information Only possible if the key is larger than the information

C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.

Shannon Analysis

Equivocation vs Redundancy Equivocation is conditional entropy: Redundancy is lack of entropy of the source: Equivocation reduces with redundancy:

C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.

Computational Secrecy

Some imperfect secrecy is difficult to crackPublic Key Encryption

Trapdoor Functions

Difficulty not proven Often “cat and mouse” game

Vulnerable to quantum computer attack

W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. on Info. Theory, 22(6), pp. 644-654, 1976.

1125897758 834 689

524287

2147483647

X

Information Theoretic Secrecy

Achieve secrecy from randomness (key or channel), not from computational limit of adversary.

Physical layer secrecy Wyner’s Wiretap Channel [Wyner 1975]

Partial Secrecy Typically measured by “equivocation:” Other approaches:

Error exponent for guessing eavesdropper [Merhav 2003]

Cost inflicted by adversary [this talk]

Competitive Distributed System

Node A Node BMessage

Key

Information Action

Adversary

Attack

Encoder:

System payoff: .

Decoder:

Adversary:

Zero-Sum Game

Value obtained by system:Objective

Maximize payoff

Node A Node BMessage

Key

Information Action

Adversary

Attack

Payoff-Rate Function

Maximum achievable average payoff

Markov relationship:

Theorem:

Encoding Scheme

Coordination Strategies [Cuff-Permuter-Cover 10] Empirical coordination for U Strong coordination for Y

K

Theorem:

[Cuff 10]

Lossless Case

Require Y=X Assume a payoff function

Related to Yamamoto’s work [97] Very different result

Also required:

Binary-Hamming Case

Binary Source:Hamming DistortionNaïve approach

Random hashing or time-sharingOptimal approach

Reveal excess 0’s or 1’s to condition the hidden bits

0 1 0 0 1 0 0 0 0 1

* * 0 0 * * 0 * 0 *

Source

Public message

(black line)

(orange line)

What the Adversary doesn’t know can hurt him.

[Yamamoto 97]

Knowledge of Adversary:

[Yamamoto 88]:

No Causal Information (Prior Work)

[Theorem 3, Yamamoto 97]

Theorem:

Choose yields

Summary

Framework for Encryption Average cost inflicted by adversary Dynamic settings where information is available

causally No use of “equivocation” Optimal performance uses both “strong” and

“empirical” coordination.